Your Guide to GDPR Compliance: Data subject rights
Continuing on from our GDPR series, with the first, second, and third posts, we are now going to address the topic of people’s privacy rights in detail. The GDPR gives people more control over their personal data by introducing new rights and organizations now have a limited time to respond to a customer’s request with regards to their data being used. In order to comply, organizations need to be transparent about the data they collect and what they will use it for.
The data rights of people are:
- the right to be informed
- the right to access
- the right to correct or amend
- the right to deletion
- the right to restrict processing
- the right to data portability
- the right to object
- rights in relation to automated decision-making and profiling
It is very important to protect and respect people’s data rights because if you don’t, they can now lodge a complaint (GDPR, Article 77.) and seek judicial remedies, both material and non-material. (GDPR, Article 79.) Your company or organization is directly responsible for any damage caused by processing and for the security of personal data that is passed to the processor.
Let’s explain each of these rights one by one.
1. The right to be informed
Your users and customers need to know all the information regarding the processing of their data and are entitled to have a privacy notice which informs them of the following:
- Contact details of your company and Data Protection Officer
- What personal data of theirs will be processed
- Purpose of the processing for which the personal data is intended as well as the legal basis of processing
- The legitimate interest of processing
- Whether or not their data will be transferred to any third parties
- How long their data will be stored by you
- What are their rights (rights to access, rectification or erasure of personal data, including the right to withdraw consent and to lodge a complaint with a supervisory authority)
- The existence of automated decision-making, including profiling and information about how decisions are made, the significance and the consequences
Privacy notices should be written using clear and plain language and should be provided to the person when the data is collected. If you’re collecting the data from someone else, you should also inform the customer of the source and the kind of private data collected. In this case the privacy notice should be provided to the individuals within one month.
2. The right to access
Similar to the right to be informed, people have the right to know and ask if their data is being processed and:
- What exactly is processed
- The purpose for processing it
- Who will receive their data
- How long the data will be stored
- The right to lodge complaint to the supervisory authority
- The existence of automated decision-making, including profiling and are there any consequences of such processing to the data subject
This is simply called a data subject access request (DSAR). You will have to provide information within one month of receiving the request and can only extend the period with a justified cause for the delay. The information should be free of charge unless the individual makes repetitive and unfounded requests. In that case a reasonable fee can be charged. (Article 12.)
To respond to an access request, the first thing to do is to check the person’s identity and whether you are already processing their data. If the request is regarding large amounts of data, he or she should explain and specify which data should be deleted or adjusted. Also, check if the other people's data is involved and if so, filter the data. If the request was made in electronic form you should provide the information in the same way. Companies can refuse to comply with a subject access request if the information required can affect the rights and freedoms of others.
3. The right to rectification
People have a right to correct any data that is inaccurate or incomplete. If the data is passed to other companies or organizations they should be informed that the data is updated, as they should also update on their systems. The request can be made verbally or in writing. This right is tightly connected with the right to access.
4. The right to erasure (The right to be forgotten)
Companies should promptly delete data, when requested to do so under these following circumstances:
- The personal data is no longer necessary for the purpose it was collected
- The individual withdraws consent
- The person objects and there are not any legitimate grounds for the processing
- The data was unlawfully processed
- The data have to be erased to comply with a legal obligation
You must inform any third parties who are processing the same data, that the person requested to delete and to take reasonable steps and technical measures to erase that personal data. On the other hand, this right is not absolute because you can refuse to delete the data under these following circumstances:
- To protect the rights and freedoms of expression and information
- To comply with a legal obligation
- For reasons of public interest and public health
- For archiving, scientific or historical research or statistical purposes
- For the exercise or defence of legal claims
The controller can refuse to erase the data if the request is exaggerated, unfounded or repetitive, but you need to justify the decision.
5. The right to restriction of processing
When people request to limit the way an organization uses their data, you can only store the data and not use it, except under these circumstances:
- The person gave their consent for the data to be used
- It is for the exercise or defense the legal claims
- To protect the rights of another person
- It is for public interest
If the data has been passed to another organization, you should also inform them of the restriction so that they can also follow the request. This request is only temporary, especially if you need to check that the data is accurate or you need to establish that you have legitimate grounds to process the data and whether they will override the individual’s objection. The data subject needs to be informed before the restriction is lifted.
6. The right to data portability
The people also have a right to request to move or copy their personal data from one organization to another. It is better to transfer the data directly to the other organization securely in a digital format such as a RTF or CSV file.
This right can only apply:
- If the processing is based on consent
- when processing is carried out by automated means
7. The right to object
People can object to having their data processed, including profiling. Unless there are legitimate grounds such as where the request overrides the interests, rights and freedoms of others, or exercise or defence of legal claims, you must stop processing the data.
If an individual objects to having their personal data used for direct marketing, their data should be removed and no longer processed. In this case this right is absolute. People can also object to processing for research or statistical purposes, but only if processing is not necessary for reasons of public interest.
8. Rights in relation to automated decision-making and profiling
We have learned by now that the Regulation applies to all automated individual decision-making and profiling. It also aims to protect individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them.
This decision-making can be carried out if it is:
- necessary to fulfill a contract between the individual and your company
- authorized by Union or Member state law applicable to your company
- based on the individual’s explicit consent
With GDPR, people’s rights are an important part and they should not be ignored. Apart from being a condition for the highest penalties, they will definitely show that you are compliant with the Regulation and that you respect your clients’ rights. If you are not sure how to respond to people's access requests or how to transfer the data, double check what the Regulation says, it will help you to better understand your clients and to comply with legal requirements. And remember to follow our GDPR series.